Container Management Utility Run Inside A Container

 1[metadata]
 2creation_date = "2023/04/26"
 3integration = ["cloud_defend"]
 4maturity = "production"
 5min_stack_comments = "New Integration: Cloud Defend"
 6min_stack_version = "8.8.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = "This rule detects when a container management binary is run from inside a container. These binaries are critical components of many containerized environments, and their presence and execution in unauthorized containers could indicate compromise or a misconfiguration."
12false_positives = ["""
13  There is a potential for false positives if the container is used for legitimate administrative tasks that require the use of container management utilities, such as deploying, scaling, or updating containerized applications. It is important to investigate any alerts generated by this rule to determine if they are indicative of malicious activity or part of legitimate container activity.
14  """]
15from = "now-6m"
16index = ["logs-cloud_defend*"]
17interval = "5m"
18language = "eql"
19license = "Elastic Licence v2"
20name = "Container Management Utility Run Inside A Container"
21risk_score = 21
22rule_id = "6c6bb7ea-0636-44ca-b541-201478ef6b50"
23severity = "low"
24tags = ["Data Source: Elastic Defend for Containers", "Domain: Container", "OS: Linux", "Use Case: Threat Detection", "Tactic: Execution"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = """
29process where container.id: "*" and event.type== "start" 
30  and process.name: ("dockerd", "docker", "kubelet", "kube-proxy", "kubectl", "containerd", "runc", "systemd", "crictl")
31"""
32
33[[rule.threat]]
34framework = "MITRE ATT&CK"
35
36  [rule.threat.tactic]
37  id = "TA0002"
38  reference = "https://attack.mitre.org/tactics/TA0002/"
39  name = "Execution"
40
41  [[rule.threat.technique]]
42  id = "T1609"
43  reference = "https://attack.mitre.org/techniques/T1609/"
44  name = "Container Administration Command"